Release Notes

 

GA Release Matrix

The table lists the latest released frevvo versions.

Product Version Matrix
ProductLatest VersionRelease DateRelease Notes
frevvo Cloudv11.1.402/13/2024Detailed Release Notes
frevvo On Premisev11.0.1311/28/2023Detailed Release Notes
frevvo for Confluencev10.1.22*03/30/2022Detailed Release Notes
frevvo Confluence Pluginsee ref


Confluence Add-on Release Notes

*Not available in v11.0+

frevvo Database Connector

v2.8.0 (Cloud Only)

v2.7.1

07/12/2023

09/17/2022

Database Connector Release Notes

frevvo Filesystem Connector

v1.4.0

09/17/2022

Filesystem Connector Release Notes
frevvo Google Connector

v3.3.0 (Cloud Only)

v3.1.1

07/12/2023

01/05/2023

Google Connector Release Notes
frevvo SharePoint Connector

v1.3.0 (Cloud Only)

v1.2.0

07/12/2023

09/17/2022

SharePoint Connector Release Notes
frevvo API .NET Clientsee ref

Data API Client Libraries Releases

*frevvo for Confluence is no longer available in v11.0+.

Security Vulnerabilities

The following security vulnerabilities have been addressed as follows:

  • Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
  • Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:

    <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
  • X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).

    Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead.

    Click the appropriate link below for filter examples.

    Example of filter with SAMEORIGIN
    <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<init-param>
    			<param-name>antiClickJackingOption</param-name>
    			<param-value>SAMEORIGIN</param-value>
    		</init-param>
            <async-supported>true</async-supported>
    </filter>
    
    <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    
    Example of filter with ALLOW-FROM for embedded forms
    <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<init-param>
    			<param-name>antiClickJackingOption</param-name>
    			<param-value>ALLOW-FROM</param-value>
    		</init-param>
    		<init-param> 
                <param-name>antiClickJackingUri</param-name> 
                <param-value> http://example.com:80/*</param-value> 
            </init-param>
            <async-supported>true</async-supported>
    </filter>
    
    <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
    </filter-mapping> 

  • frevvo v10.2 resolved Apache Log4j vulnerability with SOLR upgrade.